NASA's Nelson makes security a frontline issue

NASA's David Nelson says he believes that metrics are critical for formulating IT security plans and policies.

The space agency's philosophy is that security is an essential component of any project, not something to be added on later

David Nelson is all too familiar with the battle fatigue that comes with the daily campaign to keep systems secure.

Take, for example, the quarterly job of scanning NASA's 85,000 computers for weak spots. 'For the first couple of quarters, there's some excitement, and you can bring the energy level up and work the long hours to do it,' said Nelson, NASA's deputy chief information officer for information technology security.

'But then when it's quarter after quarter you have to transition. Instead of being this adrenaline-driven start-up program, it becomes a sustained program. And we have found some difficulty in transitioning to the sustainment.'

The workload is heavy and unrelenting, but everyone at NASA knows how important it is, he said.

Heavy workload

'The number of staff for this activity is relatively few, and so we have imposed workloads on people that may not be sustainable,' Nelson said. 'They tell us they're happy to do it, but then when they fall asleep at meetings, we know that maybe we need to rethink it.'

As NASA's security chief, Nelson is a stickler for good systems management. It's integral to securing systems, he said.

Last spring, Nelson trudged up to Capitol Hill to testify before the House Government Reform Subcommittee on Government Management, Information and Technology about enhancing computer security.

'Without good management, even the best technology will not be effectively deployed and used in a large organization such as NASA,' he said.

This year, as cyberattacks mounted and threats became ever more serious, proficient IT management has become more critical than ever, Nelson said.

'I really do believe it,' he said. 'I tell my management colleagues that IT security is an example of Management 101. Yes, it has technical features that have to be understood by somebody. But if a manager uses standard management practice, he or she should be able to deal with IT security.'

Using Web modules, everyone at NASA, from CIOs to ordinary users, is trained and retrained in security awareness. It's an ongoing process.

'We have training every year for all of our users,' he said. 'There are tests. You don't get credit unless you pass the tests'so it's like going back to high school.'

NASA also has applied what Nelson terms 'this management construct' to the agency's security technologies.

'We have a fairly comprehensive suite of intrusion detection tools,' he said. 'We're moving to do a better job of analyzing the results. We scan our systems for vulnerabilities and try to prioritize the most serious vulnerabilities. That's a management task.' A steady supply of new weaknesses causes them to continually modify that list of priorities. NASA also is working on harmonizing standards for firewalls and border routers across the agency so that one center can trust another center's packets, Nelson added.

In addition to good management, Nelson emphasized the importance of metrics in formulating security plans and policies.

He compares metrics to headlights. Gathering and analyzing metrics illuminates the road ahead, identifies hazards and points security managers in the right direction.

'We find it helps us understand where we need to put increased attention,' he said.At NASA, everything relating to security is turned into a statistic.

'We track the incidents, the type of compromises and the types of vulnerabilities and use that data to help decide what to focus on,' he said. 'We use metrics to make sure that all of our systems have security plans.'

But users are crying out for help, Nelson said. They can't keep track of all their passwords.

'I made a list once,' Nelson said. 'I carry almost 30 passwords for various systems.

'The environment has changed,' he continued. 'There are so many passwords, and they are so hard to remember that we're now looking at the next step: doing away with [multiple] passwords and going to a single sign-on system using our public-key infrastructure.' The PKI would be linked to directory services so that users have directory-enabled applications and wouldn't have to set up individual passwords.

Meticulous management comes fairly easily to Nelson.

Experience in the trenches

When he arrived at NASA from the Energy Department two years ago to take charge of security, he brought a formidable background in program management and IT operations. But he had little direct experience in security policy.

'At Energy, I was managing research, computer centers and networks, so I had to worry about these things as a doer,' he said. 'And that's been a big help to me now that I'm a policy leader because I know what it's like to be in the operational trenches.'

At NASA, he said, the IT security program is based on the philosophy that security is an essential component of any project'not something added on later.

'I think my own experience in accomplishing mission has helped me to realize that' and promote the philosophy, Nelson said. 'I think perhaps the mission owners are more willing to listen to me because they think of me as a peer.'

Nelson, who holds a doctorate in mathematics from New York University, joined Energy in 1979 after a stint as a research scientist at the Oak Ridge National Laboratory in Tennessee, a facility managed for the department by a contractor.

He eventually moved over to Energy as the result of a sort of challenge to himself. Of course, it had to do with management.

'I complained about the quality of federal management of the program I worked in,' he said. 'Then I was asked to take over management of that program. I felt that if I refused I had pretty much given up my right to complain.'

Predict future

What's the hardest part about managing security at NASA?

'It's really trying to keep all the threads together,' he said. 'It's trying to prioritize. It's trying to figure out what to do next. Those are all related.

'That's what keeps me up at night. I keep struggling to come up with the vision and strategy that I can sell that as a consensus so people will go the same direction and believe it's the right direction.'

At the same time, he's trying to visualize what needs to be done two or three years ahead.

'We have to issue metrics and milestones before the [fiscal] year starts so we're already worrying about the budgets we have to plan in advance and the technologies we have to begin architecting,' he said.

'Then I have to be sure that those ideas are good ideas'they're not all mine and I get them from a lot of sources'but still I'm the keeper of those ideas, the keeper of the vision and the keeper of the overall strategy. And I have to make sure that works for NASA.'